Security patch for the one true BIND 4.9.x (historical)

Although we do not recommend it,
some sites may prefer to continue using the deprecated
BIND 4.x
for whatever weird reasons rather than upgrade to 8.x or 9.x.
Unfortunately, some security features (running as a non-root user and
in a chrooted environment) were in 8.x+ only.
This patch makes these available back in 4.x (well, with some changes)
and adds
OpenBSD-style random IDs (the implementation differs, though).

We may help you apply this BIND patch to your installs and/or setup the
BIND chroot jail for you,
please check out our services.

November 14, 2002
Additional BIND vulnerabilities have been discovered by ISS,
affecting both the DNS server and the resolver library.
BIND 4.9.10-OW2 includes the patch provided by ISC
and is likely to become 4.9.11-OW1 once BIND 4.9.11 is officially released.

October 1, 2002
BIND 4.9.10 and 4.9.10-OW1 have been released and fix a read beyond end
of buffer vulnerability in the resolver library. The impact is believed
to be very minor (if any). The DNS server itself (named) is unaffected.
You may refer to the
CERT Vulnerability Note
for more information.

June 29, 2002
Joost Pol of PINE-CERT has discovered a vulnerability in the resolver
library code used on *BSD (as well as on a number of other systems,
including those based around the GNU C library prior to version 2.1.3)
and included with BIND.
The vulnerability affects applications and BIND tools that use the
vulnerable library code. The BIND DNS server itself (named) is unaffected.
You may refer to the
CERT advisory
for more information.

The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for this vulnerability, originally developed by
Jun-ichiro itojun Hagino of NetBSD.

Note that in order to make use of the fixes you need to rebuild all
applications that are statically linked against and make use of the
BIND-provided resolver routines.

January 29, 2001
COVERT Labs at PGP Security
has published a security advisory on a number of BIND vulnerabilities.
Unfortunately, they've since taken the advisory offline.
However, you can still see the corresponding
CERT advisory.

The BIND 4.9.7-OW5 patch contains fixes for the two most critical
vulnerabilities (known as
"infoleak" and
"complain bug")
that affect BIND 4.9.7.
Older released versions of the BIND 4.9.7-OW patches didn't include these fixes
and should be upgraded to at least 4.9.7-OW5 (the -OW patches, when used
properly, reduced the impact of the "complain bug" vulnerability,
though).

The BIND 4.9.8-OW1 patch no longer needs the "infoleak" and
"complain bug" fixes (as these bugs are fixed in the 4.9.8 release),
but adds a back-port of two fixes from BIND 8.2.2-P3+ (to the
"naptr" and "maxdname" bugs, which are believed to be
relatively minor and thus were not fixed in deprecated BIND versions
including BIND 4).